Ensure the Expiration Date is set for Key Vaults Keys

Overview

Ensure that all Keys in Azure Key Vaults have an expiration date set.

Rationale

Azure Key Vault enables users to store and use cryptographic keys within the Microsoft Azure environment. The exp (expiration date) attribute identifies the expiration date on or after which the key MUST NOT be used to encrypt new data, wrap new keys, and sign. By default, keys never expire. Thus, keys should be rotated in the key vault, and an explicit expiration date should be set for all keys to help enforce the key rotation. This ensures that the keys cannot be used beyond their assigned lifetimes.

Impact

Keys cannot be used beyond their assigned expiration dates. They need to be rotated periodically wherever they are used.

Remediation guidance

Remediate from Azure Portal

Open the key using the Open in Azure button.
Set an appropriate Expiration date.

Remediate from Azure CLI

Update the Expiration date for the key using the below command:

az keyvault key set-attributes --name <keyName> --vault-name <vaultName> --expires

Remediate from PowerShell

Set-AzKeyVaultKeyAttribute -VaultName  -Name  -Expires

Multiple Remediation Paths

Azure

SERVICE-WIDE (RECOMMENDED when many resources are affected): Assign Azure Policy initiatives at management group/subscription scope and trigger remediation tasks.

az policy assignment create --name <assignment-name> --scope /subscriptions/<subscription-id> --policy-set-definition <initiative-id>
az policy remediation create --name <remediation-name> --policy-assignment <assignment-id>

ASSET-LEVEL: Apply the resource-specific remediation steps above to the listed non-compliant resources.

PREVENTIVE: Embed Azure Policy checks into landing zones and IaC workflows to block or auto-remediate drift.

References for Service-Wide Patterns

Azure Policy overview: https://learn.microsoft.com/en-us/azure/governance/policy/overview
Azure Policy remediation: https://learn.microsoft.com/en-us/azure/governance/policy/how-to/remediate-resources
Azure Policy initiative structure: https://learn.microsoft.com/en-us/azure/governance/policy/concepts/initiative-definition-structure

Operational Rollout Workflow

Use this sequence to reduce risk and avoid repeated drift.

1. Contain at Service-Wide Scope First (Recommended)

Azure: assign policy initiatives at management group/subscription scope and run remediation tasks.

az policy assignment create --name <assignment-name> --scope /subscriptions/<subscription-id> --policy-set-definition <initiative-id>
az policy remediation create --name <remediation-name> --policy-assignment <assignment-id>

2. Remediate Existing Affected Assets

Execute the control-specific Console/CLI steps documented above for each flagged resource.
Prioritize internet-exposed and production assets first.

3. Validate and Prevent Recurrence

Re-scan after each remediation batch.
Track exceptions with owner and expiry date.
Add preventive checks in IaC/CI pipelines.

Query logic

These are the stored checks tied to this control.

Azure Key Vault Keys without expiration date

Connectors

Microsoft Azure

Covered asset types

KMSKey

Expected check: eq []

{
  kmsKeys(where: { expiration: "0000-01-01T00:00:00.000Z" }) {
    ...AssetFragment
  }
}